CN113783871B - Micro-isolation protection system adopting zero trust architecture and protection method thereof - Google Patents

Micro-isolation protection system adopting zero trust architecture and protection method thereof Download PDF

Info

Publication number
CN113783871B
CN113783871B CN202111056649.1A CN202111056649A CN113783871B CN 113783871 B CN113783871 B CN 113783871B CN 202111056649 A CN202111056649 A CN 202111056649A CN 113783871 B CN113783871 B CN 113783871B
Authority
CN
China
Prior art keywords
network
security
micro
layer
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111056649.1A
Other languages
Chinese (zh)
Other versions
CN113783871A (en
Inventor
谢林江
杭菲璐
郭威
吕垚
陈何雄
罗震宇
和悦
毛正雄
何映军
张振红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN202111056649.1A priority Critical patent/CN113783871B/en
Publication of CN113783871A publication Critical patent/CN113783871A/en
Application granted granted Critical
Publication of CN113783871B publication Critical patent/CN113783871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a micro-isolation protection system and a method adopting a zero trust architecture, wherein the system comprises a logic architecture and a physical architecture, wherein the logic architecture comprises an execution layer, an acquisition layer, a persistence layer, a logic function layer and a display layer; the physical architecture comprises a policy control center, a security gateway and an Agent plugin; the invention is mainly based on the full understanding of cloud computing environment, under the concept of zero trust security, integrates a plurality of security technologies such as network micro-isolation, security gateway, system environment sensing and the like, and finally realizes the effects of north-south traffic security admittance and east-west traffic (self-adaptive management and control, access equipment security state real-time correlation network policy).

Description

Micro-isolation protection system adopting zero trust architecture and protection method thereof
Technical Field
The invention belongs to the technical field of network security maintenance, and particularly relates to a micro-isolation protection system adopting a zero trust architecture and protection thereof.
Background
With the emergence of new IT technologies such as cloud computing and the like, increasingly blurred network security boundaries, complex network access environments and huge network assets bring new challenges to enterprise security; east-west traffic is difficult to manage, huge network policies are difficult to maintain, north-south traffic lacks perfect admittance, access environment safety degree and network policies are unhooked, and the like, and traditional protection schemes based on fixed boundaries have become gradually invalid.
Whether for a traditional intranet network environment or a current cloud host network environment, the current network security protection method has at least three problems: 1. the problem of lack of perfect admittance mechanism for the north-south flow comprises the problem of remote connection of an internal network and an external network, the problem of connection before verification of TCP/IP, the problem of access application service and resource authority division among different roles, and the like, and the problems are also existed in the traditional Internet, so that the problems are more serious due to the rapid development of cloud computing; 2. the east-west flow is difficult to control, the traditional network boundary can also rely on a series of products such as a firewall, WAF, IDS, IPS and the like to carry out safety protection in series, once the boundary safety products are bypassed, the corresponding network safety guarantee mechanism is lacking in the network, and a plurality of intranet hosts are in a 'naked running' state; 3. the network user identity authentication only verifies the account number and cannot verify the security of the access device, and for a user accessing the cloud computing network or the traditional intranet network, account number verification is generally performed only once during access, once verification is passed, the user always has corresponding network access authority unless the user actively gives up, and the security of the access device cannot be verified during access.
Disclosure of Invention
Aiming at the defects in the prior art, the micro-isolation protection system and the method adopting the zero-trust architecture solve the problem that the current network is difficult to realize the south-north flow admission control and the business application resource admission control; the east-west flow is difficult to control and easy to cause springboard attack; the network access equipment performs one-time identity verification, and lacks a real-time verification mechanism for the equipment safety environment.
In order to achieve the aim of the invention, the invention adopts the following technical scheme: a micro-isolation protection system adopting a zero trust architecture comprises a logic architecture and a physical architecture, wherein the logic architecture comprises an execution layer, an acquisition layer, a persistence layer, a logic function layer and a display layer; the physical architecture comprises a policy control center, a security gateway and an Agent plugin;
the execution layer is used for executing the security policy appointed by the policy control center; the acquisition layer is used for acquiring the assets of the network access equipment; the persistence layer is used for formatting the stored asset information and providing a data base for the policy control center; the logic function layer is used for formulating and maintaining a network credit admittance and access strategy and carrying out equipment environment risk assessment and micro isolation strategy formulation and maintenance; the display layer is used for deriving a device risk assessment report and displaying a network traffic topological graph;
the strategy control center is used for being responsible for the function execution of a persistence layer, a logic function layer and a presentation layer; the security gateway is used for being responsible for the identity verification of the execution layer; the Agent plug-in is used for being responsible for other functions except identity verification in the acquisition layer and the execution layer.
Further, the assets collected by the collection layer comprise asset information, network flow information, virus killing information of equipment, and system and application vulnerability information.
The micro-isolation protection method adopting the zero trust architecture is applied to the micro-isolation protection system, and specifically comprises the following steps:
and monitoring east-west traffic, north-south traffic and the security state of network access equipment in the network operation in real time, and adopting corresponding strategies to realize micro-isolation protection when any one or more of east-west traffic self-adaptive control, north-south traffic security access and network access equipment security state real-time association network is required.
Further, the conditions for self-adaptive control of east-west flow are as follows: the method comprises the steps of providing east-west traffic between hosts or businesses to exceed a set threshold;
the conditions for safely admitting the traffic in the north-south direction are as follows: a user requests to access a network and network resources;
the conditions for carrying out the real-time association of the security state of the network access equipment are as follows: the trust evaluation score of the access network is below a set threshold.
Further, the micro-isolation protection strategy corresponding to the east-west vector flow self-adaptive control is specifically as follows:
a1, starting a network flow collection strategy in a strategy control center through an administrator;
a2, acquiring network flow information of the whole platform through an Agent plug-in based on a network flow acquisition strategy;
a3, generating a trusted network policy through a policy control center based on the acquired network traffic information;
a4, confirming and optimizing the generated trusted network strategy through an administrator, and issuing the trusted network strategy to an Agent plugin;
a5, receiving and executing a trusted network policy among the main bodies through the Agent plugins;
a6, capturing whether the flow among the main bodies accords with the current trusted network policy or not through an Agent plug-in;
if yes, enter step A7;
if not, entering a step A6;
a6, allowing access according to the current flow, and realizing east-west flow self-adaptive control;
a7, refusing to access according to the current flow, reporting to a policy control center, and returning to the step A3.
Further, in the step A5, the entity for executing the trusted network policy includes between hosts and between security domains.
Further, the security access of the south-north flow to the corresponding micro-isolation protection strategy is specifically as follows:
b1, when a user initiates a network access request, sending a security authentication request to a policy control center through an Agent plug-in;
b2, carrying out identity verification on the user related to the received security authentication request through the policy control center, and judging whether the verification is passed or not;
if yes, enter step B3;
if not, entering a step B6;
b3, receiving the encrypted connection information sent by the policy control center through an Agent plug-in, and initiating a TLS tunnel connection request to a security gateway;
b4, carrying out identity authentication on the current user through the security gateway, and judging whether the authentication passes or not;
if yes, enter step B5;
if not, entering a step B6;
b5, controlling the Agent plugin to be connected with the back-end resource according to the current trusted network policy issued by the policy control center, and safely admitting the north-south traffic;
and B6, rejecting the access request of the user.
Further, in the step B3, the encrypted connection information received by the Agent plug-in includes a security gateway and a resource sent by the policy control center to the Agent plug-in through an encrypted channel, and information of the security gateway access user and the resource accessed by the security gateway.
Further, the micro-isolation strategy corresponding to the network access equipment security state real-time correlation network is specifically as follows:
c1, acquiring security elements of the access equipment in real time through an Agent plug-in the network operation process;
c2, based on the collected security elements and the trusted network policy of the policy control center, performing trusted evaluation scoring on the current access equipment;
judging whether the credibility evaluation score of the current access equipment is lower than a set threshold value;
if yes, enter step C4;
if not, entering a step C8;
c4, judging whether the current access equipment is in an external network environment or an internal network environment;
if the internal network environment is the internal network environment, entering a step C5;
if the environment is the extranet environment, entering a step C6;
c5, controlling an Agent plug-in to automatically link with a trusted network policy, isolating current access equipment, and entering a step C7;
c6, controlling an Agent plug-in to automatically link with the security gateway, blocking the network access behavior of the current equipment, and entering a step C7;
c7, completing access equipment environment sensing and realizing safety environment verification;
and C8, reporting the credibility evaluation score of the current access equipment to a policy control center.
Further, the security elements in the step C1 include vulnerability of the system and the application, virus killing condition, hardware configuration change and internet surfing environment behavior.
The beneficial effects of the invention are as follows:
the invention is mainly based on the full understanding of cloud computing environment, and under the concept of zero trust security, integrates a plurality of technologies such as network micro isolation, security gateway and system environment perception, and the like, and realizes the following steps:
(1) The security gateway technology is adopted, so that the network assets are prevented from being directly exposed in the Internet environment, and the security access of the application level is realized by taking the user authority as the center;
(2) By adopting the self-adaptive micro-isolation protection technology, east-west flow isolation rules are intelligently established, and a network isolation management mode is effectively simplified;
(3) The security gateway and the micro-isolation function are dynamically managed by adopting the equipment security environment sensing technology, the security of the network access equipment is monitored in real time, and the infringement of malicious behaviors to the internal network through unsafe equipment is effectively blocked.
Drawings
Fig. 1 is a schematic structural diagram of a micro-isolation protection system adopting a zero trust architecture according to the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Before describing particular embodiments of the present invention, in order to make the aspects of the present invention more apparent and complete, abbreviations and key term definitions appearing in the present invention will be described first:
north-south flow rate: when a network topology is usually drawn, it is customary to draw up and down between a server and a client, so that north and south traffic is called
East-west flow rate: the flow between servers is drawn in the horizontal direction in the topological graph of the network graph, so that the flow is called as east-west flow and also as transverse flow;
micro isolation technology: micro-segment technology (VMware) is proposed when coping with virtualization isolation technology, and can cope with the requirements of traditional environments, virtualization environments, hybrid cloud environments and container environments for east-west traffic isolation, and is mainly used for preventing an attacker from entering the enterprise data center network and then performing lateral translation (or east-west movement).
Zero trust: zero trust represents a new generation of network security protection concept, and is characterized by breaking default 'trust', namely 'continuous verification' and 'never trust', which are summarized by a sentence of popular words. Anyone, devices and systems inside and outside the enterprise network are not trusted by default, and the trust basis for access control is reconstructed based on identity authentication and authorization, thereby ensuring identity trust, device trust, application trust and link trust. Based on the zero trust principle, three 'security' of the office system can be ensured: terminal security, link security, and access control security.
Security gateway: the security gateway is an interesting integration of various technologies, has important and unique protection effects, and can range from protocol level filtering to very complex application level filtering, and is set to prevent unsafe factors of the Internet or an external network from spreading to an internal network of an enterprise or an organization of the user.
Example 1:
as shown in fig. 1, a micro-isolation protection system adopting a zero trust architecture comprises a logic architecture and a physical architecture, wherein the logic architecture comprises an execution layer, an acquisition layer, a persistence layer, a logic function layer and a presentation layer; the physical architecture comprises a policy control center, a security gateway and an Agent plugin;
the execution layer is used for executing the security policy appointed by the policy control center; the acquisition layer is used for acquiring the assets of the network access equipment; the persistence layer is used for formatting the stored asset information and providing a data base for the policy control center; the logic function layer is used for formulating and maintaining a network credit admittance and access strategy and carrying out equipment environment risk assessment and micro isolation strategy formulation and maintenance; the display layer is used for deriving a device risk assessment report and displaying a network traffic topological graph;
the strategy control center is used for being responsible for the function execution of a persistence layer, a logic function layer and a presentation layer; the security gateway is used for being responsible for the identity verification of the execution layer; the Agent plug-in is used for being responsible for other functions except identity verification in the acquisition layer and the execution layer.
The assets collected by the collection layer comprise asset information, network flow information, virus killing information of equipment, and system and application vulnerability information.
Based on the system structure, when the micro-isolated network protection is realized, the security gateway module is adopted for identity verification and access authorization for the north-south traffic; for east-west flow, adopting a micro isolation module to carry out self-adaptive network flow control; and (3) a safety environment sensing module is adopted to check the safety of the network access equipment in real time, and once the equipment abnormality is sensed, the network access behavior is immediately interrupted.
Example 2:
based on the system structure in the above embodiment 1, this embodiment provides a micro-isolation protection method using a zero trust architecture, where the micro-isolation protection method is applied to the micro-isolation protection system, and the micro-isolation protection method using the zero trust architecture specifically includes:
and monitoring east-west traffic, north-south traffic and the security state of network access equipment in the network operation in real time, and adopting corresponding strategies to realize micro-isolation protection when any one or more of east-west traffic self-adaptive control, north-south traffic security access and network access equipment security state real-time association network is required.
In the method, the conditions for self-adaptive control of east-west flow are as follows: the method comprises the steps of providing east-west traffic between hosts or businesses to exceed a set threshold;
the conditions for safely admitting the traffic in the north-south direction are as follows: a user requests to access a network and network resources;
the conditions for carrying out the real-time association of the security state of the network access equipment are as follows: the trust evaluation score of the access network is below a set threshold.
In this embodiment, the micro-isolation protection policy corresponding to the east-west vector flow adaptive control is specifically:
a1, starting a network flow collection strategy in a strategy control center through an administrator;
a2, acquiring network flow information of the whole platform through an Agent plug-in based on a network flow acquisition strategy;
a3, generating a trusted network policy through a policy control center based on the acquired network traffic information;
a4, confirming and optimizing the generated trusted network strategy through an administrator, and issuing the trusted network strategy to an Agent plugin;
a5, receiving and executing a trusted network policy among the main bodies through the Agent plugins;
wherein the main body for executing the trusted network policy comprises between hosts and between security domains.
A6, capturing whether the flow among the main bodies accords with the current trusted network policy or not through an Agent plug-in;
if yes, enter step A7;
if not, entering a step A6;
a6, allowing access according to the current flow, and realizing east-west flow self-adaptive control;
a7, refusing to access according to the current flow, reporting to a policy control center, and returning to the step A3.
The strategy is mainly used for providing the control of the flow of the network (transverse) of a host or things among services, firstly dividing all terminals under a platform into different security domains according to the attributes of the terminals such as the services or the organization structures, then automatically collecting the flow information of the network of the whole platform by using an agent program positioned on the terminal, and intuitively displaying the access condition of the network flow among the different security domains and among different gradual states in a flow visualization mode by a management center; by combining with the strong computing power of the policy control center and intelligent analysis, the trusted network policies between domains and between hosts are automatically generated, and finally, the micro-isolation of the network side and the service level between hosts in the platform is realized, thereby fundamentally covering the problems of rigidification and difficult maintenance of the firewall policies of the original host version.
In this embodiment, the security access of the north-south traffic to the corresponding micro-isolation protection policy is specifically:
b1, when a user initiates a network access request, sending a security authentication request to a policy control center through an Agent plug-in;
b2, carrying out identity verification on the user related to the received security authentication request through the policy control center, and judging whether the verification is passed or not;
if yes, enter step B3;
if not, entering a step B6;
wherein, a response message is sent to the user passing the verification;
b3, receiving the encrypted connection information sent by the policy control center through an Agent plug-in, and initiating a TLS tunnel connection request to a security gateway;
the encryption connection information received by the Agent plug-in comprises a security gateway and resources which are sent to the Agent plug-in by the policy control center through an encryption channel, and information of a security gateway access user and the resources accessed by the security gateway which are dynamically sent; after receiving the response message, the Agent plug-in unit wants to send a TLS tunnel connection request to the complete gateway;
b4, carrying out identity authentication on the current user through the security gateway, and judging whether the authentication passes or not;
if yes, enter step B5;
if not, entering a step B6;
specifically, when the security gateway receives a TLS tunnel connection request of the agent plug-in, checking the identity of the agent and information about the agent issued by the controller, and after the checking, establishing a secure TLS tunnel connection between the agent and the security gateway;
b5, controlling the Agent plugin to be connected with the back-end resource according to the current trusted network policy issued by the policy control center, and safely admitting the north-south traffic;
the back-end resource refers to resources such as a business server end for which a user requests to access the resources;
and B6, rejecting the access request of the user.
The policy is based on a zero trust security model, uses user rights as a center to realize application and security access, forms an on-demand and dynamic rights matrix, manages user identities by combining an IAM authentication technology, performs policy pre-establishment on an access resource range on the basis of user authentication, and effectively controls the access resource list range.
The micro-isolation strategy corresponding to the network access equipment security state real-time correlation network in the embodiment specifically comprises the following steps:
c1, acquiring security elements of the access equipment in real time through an Agent plug-in the network operation process;
the security elements comprise loopholes of the system and the application, virus killing conditions, hardware configuration changes and online environment behaviors;
c2, based on the collected security elements and the trusted network policy of the policy control center, performing trusted evaluation scoring on the current access equipment;
judging whether the credibility evaluation score of the current access equipment is lower than a set threshold value;
if yes, enter step C4;
if not, entering a step C8;
c4, judging whether the current access equipment is in an external network environment or an internal network environment;
if the internal network environment is the internal network environment, entering a step C5;
if the environment is the extranet environment, entering a step C6;
c5, controlling an Agent plug-in to automatically link with a trusted network policy, isolating current access equipment, and entering a step C7;
c6, controlling an Agent plug-in to automatically link with the security gateway, blocking the network access behavior of the current equipment, and entering a step C7;
c7, completing access equipment environment sensing and realizing safety environment verification;
and C8, reporting the credibility evaluation score of the current access equipment to a policy control center.

Claims (4)

1. The system for realizing the micro-isolation protection method comprises a logic architecture and a physical architecture, wherein the logic architecture comprises an execution layer, an acquisition layer, a persistence layer, a logic function layer and a display layer; the physical architecture comprises a policy control center, a security gateway and an Agent plugin;
the execution layer is used for executing the security policy appointed by the policy control center; the acquisition layer is used for acquiring the assets of the network access equipment; the persistence layer is used for formatting the stored asset information and providing a data base for the policy control center; the logic function layer is used for formulating and maintaining a network credit admittance and access strategy and carrying out equipment environment risk assessment and micro isolation strategy formulation and maintenance; the display layer is used for deriving a device risk assessment report and displaying a network traffic topological graph;
the strategy control center is used for being responsible for the function execution of a persistence layer, a logic function layer and a presentation layer; the security gateway is used for being responsible for the identity verification of the execution layer; the Agent plug-in is used for being responsible for other functions except identity verification in the acquisition layer and the execution layer;
the assets collected by the collection layer comprise asset information, network flow information, virus searching and killing information of equipment, and system and application vulnerability information;
the micro-isolation protection method is characterized by being applied to the micro-isolation protection system, and the micro-isolation protection method adopting the zero trust architecture specifically comprises the following steps:
the method comprises the steps of monitoring east-west flow, south-north flow and network access equipment safety states in network operation in real time, and realizing micro-isolation protection by adopting corresponding strategies when any one or more of east-west flow self-adaptive control, north-south flow safety admittance and network access equipment safety states are required to be associated with the network in real time;
the conditions for self-adaptive control of east-west flow are as follows: the method comprises the steps of providing east-west traffic between hosts or businesses to exceed a set threshold;
the conditions for safely admitting the traffic in the north-south direction are as follows: a user requests to access a network and network resources;
the conditions for carrying out the real-time association of the security state of the network access equipment are as follows: the credibility evaluation score of the access network is lower than a set threshold value;
the micro-isolation protection strategy corresponding to the east-west vector flow self-adaptive control is specifically as follows:
a1, starting a network flow collection strategy in a strategy control center through an administrator;
a2, acquiring network flow information of the whole platform through an Agent plug-in based on a network flow acquisition strategy;
a3, generating a trusted network policy through a policy control center based on the acquired network traffic information;
a4, confirming and optimizing the generated trusted network strategy through an administrator, and issuing the trusted network strategy to an Agent plugin;
a5, receiving and executing a trusted network policy among the main bodies through the Agent plugins;
a6, capturing whether the flow among the main bodies accords with the current trusted network policy or not through an Agent plug-in;
if yes, enter step A7;
if not, entering a step A6;
a6, allowing access according to the current flow, and realizing east-west flow self-adaptive control;
a7, refusing to access according to the current flow, reporting to a strategy control center, and returning to the step A3;
the corresponding micro-isolation protection strategy for the north-south flow security access is specifically as follows:
b1, when a user initiates a network access request, sending a security authentication request to a policy control center through an Agent plug-in;
b2, carrying out identity verification on the user related to the received security authentication request through the policy control center, and judging whether the verification is passed or not;
if yes, enter step B3;
if not, entering a step B6;
b3, receiving the encrypted connection information sent by the policy control center through an Agent plug-in, and initiating a TLS tunnel connection request to a security gateway;
b4, carrying out identity authentication on the current user through the security gateway, and judging whether the authentication passes or not;
if yes, enter step B5;
if not, entering a step B6;
b5, controlling the Agent plugin to be connected with the back-end resource according to the current trusted network policy issued by the policy control center, and safely admitting the north-south traffic;
b6, rejecting the access request of the user;
the micro-isolation strategy corresponding to the network access equipment safety state real-time correlation network is specifically as follows:
c1, acquiring security elements of the access equipment in real time through an Agent plug-in the network operation process;
c2, based on the collected security elements and the trusted network policy of the policy control center, performing trusted evaluation scoring on the current access equipment;
judging whether the credibility evaluation score of the current access equipment is lower than a set threshold value;
if yes, enter step C4;
if not, entering a step C8;
c4, judging whether the current access equipment is in an external network environment or an internal network environment;
if the internal network environment is the internal network environment, entering a step C5;
if the environment is the extranet environment, entering a step C6;
c5, controlling an Agent plug-in to automatically link with a trusted network policy, isolating current access equipment, and entering a step C7;
c6, controlling an Agent plug-in to automatically link with the security gateway, blocking the network access behavior of the current equipment, and entering a step C7;
c7, completing access equipment environment sensing and realizing safety environment verification;
and C8, reporting the credibility evaluation score of the current access equipment to a policy control center.
2. The micro-quarantine protection method according to claim 1, wherein in the step A5, the main body executing the trusted network policy includes between hosts and between security domains.
3. The micro-isolation protection method according to claim 1, wherein in the step B3, the encrypted connection information received by the Agent plug-in includes a security gateway and a resource sent by the policy control center to the Agent plug-in through an encrypted channel, and the security gateway dynamically sent admits the user and the resource information accessed by the user.
4. The micro-isolation protection method according to claim 1, wherein the security elements in the step C1 include vulnerability of a system and an application, virus killing situation, hardware configuration change and internet environment behavior.
CN202111056649.1A 2021-09-09 2021-09-09 Micro-isolation protection system adopting zero trust architecture and protection method thereof Active CN113783871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111056649.1A CN113783871B (en) 2021-09-09 2021-09-09 Micro-isolation protection system adopting zero trust architecture and protection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111056649.1A CN113783871B (en) 2021-09-09 2021-09-09 Micro-isolation protection system adopting zero trust architecture and protection method thereof

Publications (2)

Publication Number Publication Date
CN113783871A CN113783871A (en) 2021-12-10
CN113783871B true CN113783871B (en) 2023-09-19

Family

ID=78842138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111056649.1A Active CN113783871B (en) 2021-09-09 2021-09-09 Micro-isolation protection system adopting zero trust architecture and protection method thereof

Country Status (1)

Country Link
CN (1) CN113783871B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301693B (en) * 2021-12-30 2023-03-14 同济大学 Hidden channel security defense system for cloud platform data
CN114598740B (en) * 2022-03-04 2024-02-02 北京优炫软件股份有限公司 Micro-isolation data grabbing method and system
CN115001804B (en) * 2022-05-30 2023-11-10 广东电网有限责任公司 Bypass access control system, method and storage medium applied to field station
CN116633693B (en) * 2023-07-24 2023-10-31 深圳市永达电子信息股份有限公司 Trusted security gateway implementation method based on full-element network identification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494729A (en) * 2018-02-07 2018-09-04 北京卓讯科信技术有限公司 A kind of zero trust model realization system
CN109167795A (en) * 2018-09-27 2019-01-08 深信服科技股份有限公司 A kind of safety defense system and method
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
CN113051602A (en) * 2021-01-22 2021-06-29 东南大学 Database fine-grained access control method based on zero trust architecture

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040418A1 (en) * 2006-08-11 2008-02-14 Risaris Accessing existing data using a service oriented architecture gateway
US11411958B2 (en) * 2019-01-18 2022-08-09 Cisco Technology, Inc. Machine learning-based application posture for zero trust networking
US11863588B2 (en) * 2019-08-07 2024-01-02 Cisco Technology, Inc. Dynamically tailored trust for secure application-service networking in an enterprise

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494729A (en) * 2018-02-07 2018-09-04 北京卓讯科信技术有限公司 A kind of zero trust model realization system
CN109167795A (en) * 2018-09-27 2019-01-08 深信服科技股份有限公司 A kind of safety defense system and method
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
CN113051602A (en) * 2021-01-22 2021-06-29 东南大学 Database fine-grained access control method based on zero trust architecture

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于零信任的企业安全上云融合解决方案研究;苗功勋、蔡力兵;《保密科学技术》;20210820;第25-32页 *
苗功勋、蔡力兵.基于零信任的企业安全上云融合解决方案研究.《保密科学技术》.2021, *

Also Published As

Publication number Publication date
CN113783871A (en) 2021-12-10

Similar Documents

Publication Publication Date Title
CN113783871B (en) Micro-isolation protection system adopting zero trust architecture and protection method thereof
US10419459B2 (en) System and method for providing data and device security between external and host devices
CN104823196B (en) Hardware based device authentication
CN111917714B (en) Zero trust architecture system and use method thereof
CN113114632B (en) Can peg graft formula intelligence financial auditing platform
CN110830287B (en) Internet of things environment situation sensing method based on supervised learning
CN110233817A (en) A kind of vessel safety system based on cloud computing
WO2023159994A1 (en) Operation and maintenance processing method, and terminal device
CN113596009A (en) Zero trust access method, system, zero trust security proxy, terminal and medium
CN115001870A (en) Information security protection system, method and storage medium
CN111314381A (en) Safety isolation gateway
CN115065564B (en) Access control method based on zero trust mechanism
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN104918248A (en) Enterprise mobile safety gateway method of application flow management, application acceleration and safety
CN116015977A (en) Network access control method and system for Internet of things equipment
CN115720171A (en) Safe intelligent gateway system and data transmission method
Li et al. Research on security issues of military Internet of Things
KR20150114921A (en) System and method for providing secure network in enterprise
Benabied et al. A cloud security framework based on trust model and mobile agent
Yang Network attack and Countermeasures Based on telnet connection in the era of Internet of Things
CN202111721U (en) Network information security assurance system
Choi IoT (Internet of Things) based Solution Trend Identification and Analysis Research
CN115242460B (en) Cloud platform security architecture system and implementation method thereof
CN107196905B (en) Trusted network access client and access method for Windows platform
CN117375922A (en) System and method for hidden monitoring of attack host in electric power interconnection network based on software defined boundary

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant